Automation Won't Solve Weaponized Rootkits

Many people are unsure what a rootkit is. More or
less, it resembles any other malware out there only it is much
harder to detect and remove. Stealth is the primary characteristic
of a rootkit.

With millions of dollars worth of corporate secrets residing on
hosts throughout an organization, rootkits are the perfect vehicle
to steal this information without detection. As if this isn't
treacherous enough, there are examples of rootkits that now run on
cellular phones, PDAs and even firmware.

Most IT folks have heard the term "rootkit" but most
don't truly understand how to mitigate the threat.

The biggest mistake IT pros are making is using dated
technologies and methodologies in an attempt to remediate the
issue. Traditional signature and heuristic based solutions are not
effective against rootkits. In fact, there have been several
studies conducted that show tools specifically designed for rootkit
removal couldn't identify 25% of the test set.

The problem here is that rootkits have become weaponized. They
feature a list of functionality ranging from polymorphic
capabilities all the way to anti-forensics and encryption. Even the
advanced tools used in the forensics community suffer from
deficiencies that now must be accounted for.

An example of this is disk analysis, a major part of forensic
examination systems. The weaponized rootkit will counter this by
sitting in memory instead of writing data to the hard drive.
Another example is when researchers step through the reverse
engineering process using a debugger. This task is complex and
tedious under normal conditions but today's weaponized
rootkit now throws garbage cans in the path of investigators by
crashing the debugger.

As the bad guys continue to refine their rootkits, they are
aware of several things that most organizations face. The first is
the tremendous amount of data that has to be examined on a daily
basis. This data stream provides a wonderful river of white noise
in which to mask rootkit activity. They also know that because of
space limitations, organizations may lose all traces of an attack
in a relatively short amount of time. Even if you are lucky enough
to identify a packet stream that was generated by a rootkit,
chances are you may not be able to get your hands on the actual
executable. This means you may never know the extent of the
capabilities and losses you suffered.

And let's say that you are able to identify a rootkit.
Most likely, it is going to be deeply embedded into the OS or
perhaps even beneath it. Removing a rootkit isn't like the
run of the mill malware. Tearing a rootkit out may leave your
system with irreparable damage, and that's if you're
lucky enough to remove it entirely.

So how do rootkits get onto hosts in the first place?

Unlike viruses and worms that rely on automated mechanisms to
spread, individuals with specific intent often plant rootkits. Many
times this individual is a trusted employee or someone who has
access to your most valuable electronic assets. The rootkit is
often custom designed to perform its tasks and remain hidden for
long periods of time – years even. This can make determining
the extent of damage a very difficult, if not impossible, task.

So what can we do to battle weaponized rootkits?

The answer does not rest with automated tools this time. You
need a set of highly skilled people who understand the criminal
mind, reverse engineering, and how to spot rootkit activity in the
flood of white noise that all organizations have.